The risk and compliance pressures facing asset managers show few signs of abating, with many firms choosing to invest in third-party technology platforms to help with ongoing risk and compliance monitoring.
But procuring a third party platform brings with it a new set of responsibilities. As the FCA recently highlighted in a report on the selection and use of asset management portfolio tools, ‘processes and controls, particularly in risk model oversight and contingency planning’ are required.
What does this mean for UCITS regulated firms in practice then? For those using, or thinking of implementing, a compliance monitoring platform, it’s important that there is a robust control framework within the firm in order to provide compliance oversight, model governance and to measure the ongoing effectiveness of the platform.
In addition, this should be matched with a control framework within the technology solution provider itself to provide assurance on compliance change management, data governance and model transparency. Let’s take a closer look.
Build or Buy?
Firms surveyed by the FCA that had built in-house software tools were ‘aware of the costs of their choice and regularly looked at how they could reduce this’. Moreover, the high cost of ownership for self-built solutions was further compounded by the shortage of available skills within some firms to maintain the software with ongoing regulatory change.
An additional difficulty of in-house software tools can be the separation of pre and post-trade monitoring. For UCITS regulated firms, often the pre-trade compliance function resides with OMS, while the post-trade compliance monitoring is frequently an in-house tool, created in a user-developed application.
A streamlined third-party platform can help you get around these issues, and it should bring a level of independence that can’t be achieved with an in-house created tool.
This independence is further bolstered with the third-party managing the implementation and testing of regulatory change, thus complementing the compliance testing framework in the firm itself. And adding a layer of independence will ensure you’re acting in spirit, rather than just the letter, of the law.
When selecting a third-party platform, particularly with cloud solutions, it’s important that the vendor has a robust governance framework in place. The framework should include controls for information security (e.g. ISO 27001), compliance change management, business continuity and risk management.
While the FCA and the CSSF have published guidelines for the adoption and governance of technology solutions, these guidelines remain non-binding, and it’s recommended firms take a risk-based approach, depending on the critical nature of the function. ’
For UCITS pre- and post-trade monitoring, for instance, any automated rule books should be reviewed by independent UCITS-specialised regulatory legal experts to ensure compliance with the regulations. A technology provider with a robust compliance framework will ensure this happens without you having to seek independent legal advice.
Single Platform vs Multiple Vendors
Finally, the decision on whether to go with one or more technology providers is another governance consideration, and is particularly relevant with the rise of Super ManCos providing operational oversight, regulatory compliance and risk management across both UCITS and AIFMs (Alternative Investments).
With CP 86 regulations from the Central Bank of Ireland requiring demonstrable substance to be evidenced across the six key functions of the ManCo, a single platform, with strong workflow capabilities, helps demonstrate organisational effectiveness in a consolidated, meaningful way.
In addition to this, a single platform brings efficiencies for vendor management, model governance, data management, regulatory change, compliance testing and business resilience. As noted in the FCA report, benefits include:
- reducing manual input, lowering the risk of errors from data being re-keyed or presented differently on various tools
- improved oversight, in both first and second-line, due to consistent and controlled data handling and creating a ‘single source of truth’
While there are potential drawbacks when it comes to relying on a single platform, these can be mitigated by thorough due diligence and making sure any third-party provider enhances your overall operational resilience.
In our next UCITS instalment, we’ll explain how a customisable UCITS compliance monitoring platform can meet your regulatory obligations, including likely UCITS VI changes, whilst also reflecting the distinctiveness of your firm.